Sign in Subscribe

The 2023 DoDIG CUI Audit As Explains by a Gen Alpha

The 2023 DoDIG CUI Audit As Explains by a Gen Alpha

Yo squad, as you know its my new favorite thing to have LLMs break down important Department Docs using Gen Alpha Slang. Accordingly, here’s the lowdown on how the DoD’s trying (and sometimes failing) to handle “Controlled Unclassified Information” (CUI). Basically, they’re fumbling the bag a bit. Let’s break it down:

Objective

The whole point of this audit was to see if the DoD really had their stuff together when it came to rolling out their rules for handling CUI. They needed to:

  1. Set up some solid guidelines.
  2. Train everyone so they knew what they were doing.
  3. Make sure everyone (both inside the DoD and the contractors) followed through and did things right.

We also peeked at a bunch of documents and emails to see if they were labeled correctly with the right CUI tags. Spoiler: A lot of them weren’t.

Background

In 2010, President Obama signed an executive order to fix the way the government handled info that wasn’t exactly top-secret but still needed some protection. Before this, different departments were all over the place with labels like "For Official Use Only" (FOUO), “Sensitive But Unclassified,” and "Law Enforcement Sensitive." It was chaos.

Obama’s order was supposed to standardize all of this, with one label: CUI. It meant everything had to be done the same way across the government, including the DoD. Fast forward to today: the DoD came up with their own set of rules called DoDI 5200.48, which outlined exactly how they were supposed to handle CUI. But here’s the thing—people weren’t really paying attention, and it’s causing problems.

The Issue?
People are throwing CUI labels on things that don’t need them, locking down info unnecessarily, or worse, not labeling stuff at all when they should.

Findings

Okay, here’s the tea on what we found:

  1. Rules are in place, but no one’s making sure people are following them. It’s like having all these fancy guidelines, but no one’s checking if you’re actually using them. The DoD wasn’t overseeing how well their employees (and contractors) were following the CUI rules.
  2. A bunch of the docs and emails didn’t have the right CUI labels. We’re talking almost half of the documents and emails we checked weren’t labeled properly. Some were missing headers and footers, others didn’t have portion markings, and some just didn’t label which part of the document was secret.
  3. People weren’t getting trained properly, or they weren’t even taking the training at all. Like, the DoD is supposed to make sure everyone gets CUI training every year, but in reality, a lot of people either didn’t do it or took the wrong course.

What Went Wrong?

Let’s dive into the juicy details of how the DoD messed this up:

1. Sloppy Marking (46% of docs didn’t have the right tags!)

We checked 300 documents, and nearly half of them didn’t have CUI tags. It’s like turning in your homework with no name on it—basically useless. Here’s the breakdown:

  • 139 docs didn’t even have the basic “CUI” tag at the top or bottom.
  • 145 docs skipped the part where they say who’s in charge of protecting that info.
  • 26 docs missed marking specific sections of the doc that needed protection.

2. Emails Were a Total Fail (87% were labeled wrong!)

Emails were even worse. We checked 31 emails that should’ve had CUI labels, and almost none of them did it right. Some didn’t have any CUI labels, others didn’t say who was responsible for the info, and only one email even tried to mark certain parts as sensitive.

Here’s a fun stat: 27 out of 31 emails didn’t even bother to throw a CUI tag at the top or bottom. Like, come on, you had one job!

3. People Weren’t Doing Their Training (23% missed it!)

When we looked at the training records, 84 out of 372 people we checked either didn’t complete their CUI training or didn’t do it right. And remember, these are the folks who are supposed to be handling sensitive information.

Why Did This Happen?

  1. Old Systems, Bad Habits: Some departments were still using outdated templates or systems that didn’t even have the option to tag things with “CUI.” They were stuck using the old “FOUO” tags. For example, the Army had a database called the Central Army Registry that only gave them the option to mark things as either Unclassified or FOUO—no CUI option available. They’ve asked for a fix, but nothing’s been done yet.
  2. No Tools to Help: People didn’t have any tools to help them auto-label their docs and emails. Like, there’s no button you could click that says “tag this as CUI,” so they just forgot, or skipped it altogether.
  3. Lack of Follow-Up: There was no tracking system to make sure people were getting trained or marking their docs correctly. It was a free-for-all.

What Needs to Be Done (aka How to Fix This)

We came up with 14 recommendations to help the DoD get back on track. Here’s the rundown:

  1. Auto-Tag Docs and Emails: The DoD should develop a tool that automatically adds the CUI tags to documents and emails. That way, people can’t forget or mess it up.
  2. Track Training: They need a proper system to keep track of who’s taken their CUI training, and who hasn’t. No more slacking off.
  3. Clear Up the Confusion About Sharing Info: There’s a lot of confusion about who can access certain info. Like, the DoD was using these “Federal employees only” and “Federal employees and contractors only” rules (FED ONLY and FEDCON) to lock out Congress from seeing certain info. But that’s not how it’s supposed to work. They need to clarify when these rules should actually be used.
  4. Test for Screw-Ups: Every year, DoD offices need to test a sample of docs and emails to see if they’re marked correctly. If not, they gotta fix it.

Management’s Reaction

We hit up some big shots in the DoD to see if they agreed with our fixes:

  • Army and Air Force: They’re on board and are already making moves to fix things.
  • Missile Defense Agency: They kind of agreed, but their response was weak sauce, so we’re not holding our breath.
  • Navy: They ghosted us. Literally didn’t respond to the draft report.

TL;DR: The DoD dropped the ball big time on making sure people know how to handle sensitive info. Docs and emails aren’t labeled right, and training’s a mess. They need better systems, tools, and oversight, or else they’re risking spilling a lot of sensitive info by accident.

Original Report Credit to DOD Inspector General: D2023-D000CR-0167.000.PDF